package com.janrain.openid.store;

import java.io.UnsupportedEncodingException;

import com.janrain.openid.Association;
import com.janrain.openid.Util;

/**
 * <p>
 * This is a store for use in the worst case, when you have no way of saving
 * state on the consumer site. Using this store makes the consumer vulnerable to
 * replay attacks (though only within the lifespan of the tokens), as it's
 * unable to use nonces. Avoid using this store if it is at all possible.
 * </p>
 * <p>
 * Most of the methods of this class are implementation details. Users of this
 * class need to worry only about the constructor.
 * </p>
 * 
 * @author JanRain, Inc
 */
public class DumbStore extends OpenIDStore
{
    private byte [] authKey;

    /**
     * <p>
     * Creates a new <code>DumbStore</code> instance. For the security of the
     * tokens generated by the library, this class attempts to at least have a
     * secure implementation of <code>getAuthKey</code>.
     * </p>
     * <p>
     * When you create an instance of this class, pass in a secret phrase. The
     * phrase is hashed with sha1 to make it the correct length and form for an
     * auth key. That allows you to use a long string as the secret phrase,
     * which means you can make it very difficult to guess.
     * </p>
     * <p>
     * Each <code>DumbStore</code> instance that is created for use by your
     * consumer site needs to use the same <code>secret_phrase</code>.
     * </p>
     * 
     * @param secretPhrase
     *            the phrase used to create the auth key returned by
     *            <code>getAuthKey<code>
     */
    public DumbStore(String secretPhrase)
    {
        try
        {
            authKey = Util.sha1(secretPhrase.getBytes("UTF-8"));
        }
        catch (UnsupportedEncodingException e)
        {
            // this will never happen
        }
    }

    /**
     * This implementation always returns <code>null</code>
     * 
     * @return <code>null</code>
     */
    public Association getAssociation(String serverUrl, String handle)
    {
        return null;
    }

    /**
     * @return the byte array calculated in the constructor
     */
    public byte [] getAuthKey()
    {
        return authKey;
    }

    /**
     * This implementation always returns <code>true</code>
     * 
     * @return <code>true</code>
     */
    public boolean isDumb()
    {
        return true;
    }

    /**
     * This implementation does nothing
     */
    public boolean removeAssociation(String serverUrl, String handle)
    {
        return false;
    }

    /**
     * This implementation does nothing
     */
    public void storeAssociation(String serverUrl, Association assoc)
    {
        // do nothing
    }

    public void storeNonce(String nonce)
    {
        // do nothing
    }

    /**
     * In a system truly limited to dumb mode, nonces must all be accepted. This
     * therefore always returns <code>true</code>, which makes replay attacks feasible
     * during the lifespan of the token.
     * 
     * @return <code>true</code>
     */
    public boolean useNonce(String nonce)
    {
        return true;
    }

}
